This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee Edge Business Partner Authentication / Authorization via Mutual TLS and Trust Stores

Posted on 08-22-2018 02:30 AM
Not applicable
Reply posted on --/--/---- --:-- AM

We are using Apigee Mutual TLS features and would like to only grant access to trusted business partners, based on their certificate public keys (from trusted third parties like Comodo / Entrust).

We can get client certificate calls working but my problem is around denying access to unauthorized callers. It feels like Trust Stores should represent the above B2B concept, however:

* Trusted Root Authorities (Comodo, Entrust) seem to need to be explicitly imported into trust stores

* Once done, anyone with a Comodo Personal Authentication Certificate can get past certificate checks for our API, which we'd like to avoid

It feels like the only mechanism that will meet our requirement is to import root certificates into the trust stores and then to write some cludgy code like this, since I don't think trust stores support the B2B model we want.

<Step>

<Name>RaiseFault-Unauthorized</Name>

<Condition>client.cn != "Partner1" and client.cn != "Partner2"</Condition>

</Step>

Before we implement the above, I thought I'd ask if anyone has found a better way to meet the above B2B requirement? Any help would be much appreciated.

1 2 176
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi Gary

Yes, I understand the problem.

You want to use TLS to authenticate clients... but the way Edge works, you need to add in the entire CA chain into the truststore, which means anyone with a Comodo-signed cert can access the 2-way TLS vhost of your API.

I don't know of a way to verify the specific client beyond:

  • rely on a private Root CA. IOW, you sign the client certs yourself, with your own CA, and put THAT CA into the truststore. In that way, only certs signed specifically by you will be allowed in by the 2-way TLS vhost.
  • Rely on conditions that examine the client.cn, or other context variables associated to the client cert.

If you use the latter, you could factor it out into a SharedFlow, or a JavaScript step that does a comparison based on a set of values you read from a KVM .

Posted on --/--/---- --:-- AM
Not applicable
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for the answer Dino - helps confirm I was on the right track.

I've worked on quite a few Mutual TLS solutions, such as using the Windows Trusted People Store to hold partner client certificate public keys. Seems pretty crazy that Apigee Trust Stores don't enable the above type of solution. But that's the world of vendor software I guess!

We will proceed with the key value map option you suggested, and only use Trust Stores to manage root certificates. Appreciate the feedback.

0 Likes